From cfdbad27fe0b1c5e98b127f2c3d22258e233ef11 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 10:37:21 -0400 Subject: add /etc/postfix/checks directory and setup a check_helo_access that allows admins to have some control over problem clients connecting that present helo patterns that they wish to block (#3694) Change-Id: I159c29b6fe17e3d75b607d1a6fa82856b976c9b4 --- puppet/modules/site_postfix/manifests/checks.pp | 23 ++++++++++++++++++++++ puppet/modules/site_postfix/manifests/mx.pp | 1 + .../site_postfix/manifests/mx/smtpd_checks.pp | 4 +++- .../site_postfix/templates/checks/helo_access.erb | 21 ++++++++++++++++++++ 4 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/checks.pp create mode 100644 puppet/modules/site_postfix/templates/checks/helo_access.erb (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/checks.pp b/puppet/modules/site_postfix/manifests/checks.pp new file mode 100644 index 00000000..06f9a7a4 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/checks.pp @@ -0,0 +1,23 @@ +class site_postfix::checks { + + file { + '/etc/postfix/checks': + ensure => directory, + mode => '0755', + owner => root, + group => postfix, + require => Class['postfix']; + + '/etc/postfix/checks/helo_checks': + content => template('site_postfix/checks/helo_access.erb'), + mode => '0644', + owner => root, + group => root; + } + + exec { + '/usr/sbin/postmap /etc/postfix/checks/helo_checks': + refreshonly => true, + subscribe => File['/etc/postfix/checks/helo_checks']; + } +} diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2e68297d..e5dc1c7b 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -18,6 +18,7 @@ class site_postfix::mx { } include site_postfix::mx::smtpd_checks + include site_postfix::checks include site_postfix::mx::tls # greater verbosity for debugging, take out for production diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 7ade8588..795c1703 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,6 +1,8 @@ class site_postfix::mx::smtpd_checks { postfix::config { + 'checks_dir': + value => '$config_directory/checks'; 'smtpd_client_restrictions': value => 'permit_mynetworks,permit'; 'smtpd_data_restrictions': @@ -8,7 +10,7 @@ class site_postfix::mx::smtpd_checks { 'smtpd_delay_reject': value => 'yes'; 'smtpd_helo_restrictions': - value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit'; + value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_recipient_restrictions': value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts diff --git a/puppet/modules/site_postfix/templates/checks/helo_access.erb b/puppet/modules/site_postfix/templates/checks/helo_access.erb new file mode 100644 index 00000000..bef3c11d --- /dev/null +++ b/puppet/modules/site_postfix/templates/checks/helo_access.erb @@ -0,0 +1,21 @@ +# THIS FILE IS MANAGED BY PUPPET +# To make changes to this file, please edit your platform directory under +# puppet/modules/site_postfix/templates/checks/helo_access.erb and then deploy + +# The format of this file is the HELO/EHLO domain followed by an action. +# The action could be OK to allow it, REJECT to reject it, or a custom +# status code and message. Any lines that are prefixed by an octothorpe (#) +# will be considered comments. + +# Some examples: +# +# Reject anyone that HELO's with foobar: +# foobar REJECT +# +# Allow the switches to skip this check: +# switch1 OK +# switch2 OK + +# Reject anybody that HELO's as being in our own domain(s) +# anyone who identifies themselves as us is a virus/spammer +<%= domain %> 554 You are not in domain <%= domain %> -- cgit v1.2.3